alphaspirit - Fotolia

Get started Bring yourself up to speed with our introductory content.

Bloom cookies: Privacy without prohibiting Web personalization?

While cookies are critical to delivering personalized Web content, they are a privacy concern. Learn how adding Bloom filters to cookies can help enhance privacy while maintaining personalization.

Microsoft proposes adding something called "Bloom filters" to cookies to eliminate tracking in a Web search. How does this technology work and how can Bloom cookies potentially impact enterprise security?

Many online services offer personalized information to their users based on user profiles. These profiles are often pieced together from information such as websites frequently visited, user interests and demographic information collected by tracking multiple online activities of the same user and linking them together.

Most users don't fully understand how this information is gathered or how to control how and when it is captured. The growing use of undeletable cookies and browser and device fingerprinting to track and profile users as they browse the Internet is making it even harder for anyone concerned about their privacy to prevent their activities being tracked and analyzed.

A user can hide their IP address using proxies or anonymity networks such as TOR to limit the ability of sites and services to track their Internet use. There is also the option to block cookies and browse in private mode to prevent being tracked by sites using traditional persistent cookies. However, preventing services from delivering personalized content by blocking access to the information needed to form a profile also has its downsides. Search results won't be so well-tailored to a user's particular interests; for example, offers and news items won't be so relevant.

So how do enterprises minimize the risk of their employees being unduly tracked by an online service while allowing content providers to deliver personalized content?

Various privacy-preserving Web personalization systems use profile obfuscation techniques, namely profile generalization and noise injection. The generalization method only shares high level information -- such as the category of frequently visited websites instead of actual URLs. Non-tracking advertising systems like Privad: Practical Privacy in Online Advertising, Adnostic: Privacy Preserving Targeted Advertising and RePriv: in-browser personalization and privacy advocate using generalized profiles to protect users' privacy, but even with generalized profiles it is possible to link a user's searches across time.

The other technique -- noise injection -- addresses this problem as it adds fake information to obscure a user's actual activities. However, a noisy profile can be very large and impose a large communication overhead between browser and server. It also requires a noise dictionary generated by a trusted third party.

Researchers at Microsoft and the University of California found that noise injection provides a better privacy-personalization tradeoff than generalization, and to overcome the existing drawbacks of noise injection are proposing a solution called "Bloom cookies." Bloom cookies are a noisy profile based on Bloom filters that are significantly smaller compared to the size of today's Web cookies and don't require a noise dictionary.

A Bloom cookie is generated and maintained by the client device, giving the user control over what profile information is included in the Bloom cookie and to which online services it's sent. If a user disabled third-party cookies in their browser, servers would use the content of the Bloom cookie to deliver personalized results to the user. The researchers offer an algorithm that, given a user's privacy and Web personalization goals, can automatically configure a Bloom cookie's parameters such as how much noise is added to the cookie.

The researchers chose Web searches to test this new form of cookie and found they could encode a user's profile in an efficient yet privacy-preserving manner while still allowing servers to personalize search results in a useful manner. Further research is needed into how to they may work effectively in a multiservice scenario where, for example, Google or Microsoft can track users using their Web search, email and other services based on their IP address.

Putting users back in control of what personal information they share makes this a very interesting proposal, particularly as communication overhead is lower and there's no dependency on a noise dictionary. However, the privacy guarantee of Bloom cookies is a statistical one rather than an absolute one. There will be users whose online activities and interests are so distinct that even with large amounts of noise they would remain linkable across IP sessions.

Ask the Expert:
Want to ask Michael Cobb a question about application security? Submit your question now via email. (All questions are anonymous.)

Next Steps

Learn more about the good and bad of cookies

This was last published in July 2015

Dig Deeper on Web browser security